With Phase 1 enforcement now underway, the November Cyber AB Town Hall came at a pivotal moment for the Defense Industrial Base. Not only is the full CMMC rule now in effect under both 32 CFR and 48 CFR, but contract language requiring CMMC certification has already begun appearing in live solicitations. This meeting offered a timely look at what’s changed, what’s working, and what still needs clarification as the ecosystem shifts into full implementation mode.

From a Department of the War PMO spotlight to an in-depth look at the ecosystem’s year in review, the November meeting served as both a milestone checkpoint and a preview of what’s ahead. Below, we break down the most important updates and what they mean for OSCs preparing for certification in the months ahead.

CMMC enforcement is live and all rulemaking is now in effect

Matt Travis opened the session by confirming that the final piece of CMMC rulemaking, Title 48, is now officially in effect. This marks the full codification of CMMC under both 32 CFR and 48 CFR, giving the Department of Defense the authority to include CMMC requirements in new contracts, task orders, option periods, and contract extensions.

This doesn’t mean every contractor needs to be certified immediately. Instead, organizations will need to be certified before contract award if a solicitation includes a CMMC requirement. The Department of Defense estimates that 70,000 contracts will require CMMC Level 2 certification. However, both Matt Travis and PMO representative Dana Mason emphasized that the true number of organizations affected could be significantly higher, especially as scoping guidance evolves. 

Contractors handling both FCI and CUI may need to undergo separate Level 1 and Level 2 assessments, since different environments, boundaries, and personnel may be involved. That means dual scoping — and potentially dual assessments — could be in play for many organizations.

What the Department of War PMO is seeing across assessments

One of the most important segments of the meeting came from Dana Mason of the DoW PMO, who offered real-world observations from ongoing acquisition activity. According to Mason, solicitations that require Level 2 certification are now actively moving through the source selection process. She cited one major program currently underway that involves 250 primes and 1,500 subs — all of whom must present a valid Level 2 certificate issued by a C3PAO in order to remain eligible.

This is a wake-up call for any organization still waiting for a more definitive enforcement milestone. It’s here. Some solicitations are already requiring certification, and the window to act is shrinking fast.

Mason also addressed several ongoing pain points in the ecosystem:

• Scoping disagreements between OSCs and C3PAOs remain a top cause of assessment delays. If agreement can’t be reached, the OSC may need to find a new assessor.
• Self-assessments are valid for Phase 1, but the bar for documentation and readiness is still high.
• External Service Provider (ESP) confusion continues. OSCs are often unclear on how to document ESP relationships, which services require FedRAMP, and how to reflect these providers in their assessment scope.

In the live Q&A, a participant asked whether CMMC requirements could be added to contracts retroactively. Both Mason and Wayne Boline clarified that no, CMMC cannot be inserted into base contracts already in effect. But it can apply to extension years, so if your contract is being renewed, certification may become a factor.

Certification activity and ecosystem growth reflect real progress, but Tier 3 remains a bottleneck

The CMMC ecosystem is showing strong momentum heading into the enforcement phase. Certification numbers have continued to climb, with Mason noting there are currently 459 affirmed Level 2 certifications and 115 pending affirmations within SPRS, which includes and DIBCAC joint surveillance assessments. That’s in addition to the many more currently engaged in assessments or working toward readiness.

Authorized C3PAOs and credentialed professionals are also on the rise. The number of Certified CMMC Assessors (CCAs) has more than doubled in the past year, and there are now 88 authorized C3PAOs supporting the growing demand for assessments. Growth in Certified Professionals (CCPs), Registered Practitioners (RPs), and Registered Provider Organizations (RPOs) also points to a healthy and expanding ecosystem.

However, Tier 3 background checks continue to act as a bottleneck. According to Mike Snyder, a completed Tier 3 investigation is required for CCPs and CCAs to be considered "in good standing" and eligible to participate in assessments. The Cyber AB acknowledged growing frustration around processing delays, but confirmed that Tier 3 reviews have resumed and backlogs are slowly improving.

One notable update: U.S. citizenship is no longer required for CCP or CCA status. Non-citizens from outside NATO countries are now eligible to participate in assessments, although some country-specific adjustments may still apply.

C3PAO Advisory council committees are now driving policy input

After several months of formation, the C3PAO Advisory Council has now transitioned into an active working body. According to the Cyber AB, five subcommittees are currently focused on five key areas: refining assessment guidance (such as sampling and pauses), clarifying external service provider expectations, revising CAP formatting, informing the design of a CUI emblem for certified OSCs to use in lieu of posting their certificates, and providing consistent input based on feedback from ongoing assessments.

While the Council does not have policy-setting authority, its input will inform the Cyber AB and DoD as they revise core materials like the CMMC Assessment Process (CAP) and related templates. 

Several attendees asked if Advisory Council applications would reopen. The CyberAB reiterated that participation is currently closed but feedback from the broader ecosystem is always welcome.

PMO outlook: International growth and NIST 800-171 Rev 3 alignment ahead

Mason’s segment also offered a glimpse into what’s coming in 2026. Her team is already working on new guidance to help standardize scoping and self-assessment expectations. She also confirmed that Rev 3 alignment is coming, and the PMO is closely tracking final guidance from NIST on SP 800-171.

International participation continues to grow as well. Hundreds of assessments have already been submitted from contractors in the UK, Canada, South Korea, Japan, Israel, and beyond. In the Q&A chat, the Cyber AB confirmed that non-U.S. citizens may complete Tier 3 investigations and participate fully in the ecosystem, provided requirements are met.

Mason also urged OSCs to ensure they properly affirm assessments in SPRS after completion. Contractors who skip this step may appear as non-compliant in procurement systems, even if their assessment is otherwise valid.

CAICO and Cyber AB updates

With rulemaking finalized, attention is now shifting to implementation at scale. Several updates from the Cyber AB and CAICO are designed to support this next phase:

• All pending CCA and Lead CCA validations have now been reviewed. Those who completed manual validations will receive instructions and discount codes to resubmit in the updated portal.
• A major overhaul of the Registered Practitioner (RP) program is coming in mid-2026
• Updated CCP and CCA training content will launch early in 2026, incorporating the 32 CFR rule and sunsetting delta training
• Marketplace 2.0 is in development to improve vendor and supplier discoverability for primes
• C3PAO accreditation will begin aligning to ISO 17011 next year
• Major events are planned for early 2026, including CS5 West in April

Q&A highlights

As usual, the Q&A chat surfaced additional insights worth noting:

• Level 2 self-assessments are valid during Phase 1. Contractors can self-attest to meeting all 110 controls if third-party certification is not yet required.
• Attesting in SPRS doesn’t require new evidence. When reaffirming certification after one year, you only need to click “affirm.” No new SSP submission is required.
• Level 1 includes 15 requirements. The CMMC Level 1 Assessment Guide confirms the correct count, despite older references to 17.
• No hierarchy among credentialed individuals. The CyberAB reiterated that being “first” to receive a credential does not imply a higher standing in the ecosystem.
• No list of Level 2 certified companies is available. For privacy and security reasons, the CyberAB does not publish a public list of certified OSCs.
• No list of “bad actors” will be published. The CyberAB confirmed they have no plans to call out non-compliant turnkey vendors or consultants.

Stay ready as CMMC demand accelerates

CMMC assessment requirements are now appearing in Department of Defense contracts, and contractors without proper certification are finding themselves locked out of award eligibility. With thousands of assessments expected in 2026 and a still-limited number of C3PAOs, organizations need to move quickly.

That means defining scope, finalizing documentation, and working with a trusted advisor to prepare for either self-assessment or third-party certification, depending on what your contract requires.

We’ll continue to track updates and insights from each CyberAB Town Hall. For ongoing coverage, check out past recaps in the CMMC.com newsroom:

• October 2025 Town Hall Recap
• September 2025 Town Hall recap
• August 2025 Town Hall recap
• July 2025 Town Hall recap
• June 2025 Town Hall recap
• May 2025 Town Hall recap
• April 2025 Town Hall recap